That is the question that this blog post pontificates. According to a recent study by the Privacy Rights Clearinghouse, of 113 data breaches since February 2005, 55 of them took place at colleges, universities, and university-affiliated medical centers. A list of data breaches for 2005 have been posted by Neo Scale here, but a few noteworthy ones are Stanford University, UC-Berkeley, and Carnegie Mellon University.

One of the primary reasons cited for the disproportionate number of data breaches at universities is the decentralized environment — data being spread out in various locations on campus which makes it difficult to control the access to the data. To a degree, this doesn’t seem very intuitive and certainly contrary to the old saying ‘don’t put all your eggs in one basket’. Centralization not only serves as an even more enticing target for would-be hackers, but it also means the result of a successful breakin would be even more catastrophic. However, centralization is more cost effective, as it requires organizations to procure less hardware which results in cost savings.

Decentralization, on the other hand, means that if there were a breakin, consumers/students are less likely to have their information compromised. However, decentralization also means that it is possible that there are multiple copies of a person’s information floating around. The preferable and more secure approach is not entirely clear.

It seems that the largest problem facing decentralized environments is accountability, management, and standards. What can be done about this? Certainly, formalized, comprehensive privacy and security policies would be a step in the right direction. Adherence to these policies is essential. And continued research efforts into technologies and techniques to combat intrusions.

A full article on the Privacy Clearinghouse study can be found here on the UCSD Guardian Online.